lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 20 Nov 2018 19:25:49 -0800 (PST)
From:   David Miller <davem@...emloft.net>
To:     marcelo.leitner@...il.com
Cc:     lucien.xin@...il.com, netdev@...r.kernel.org,
        linux-sctp@...r.kernel.org, nhorman@...driver.com
Subject: Re: [PATCH net] sctp: count sk_wmem_alloc by skb truesize in
 sctp_packet_transmit

From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Date: Tue, 20 Nov 2018 22:56:07 -0200

> On Mon, Nov 19, 2018 at 12:39:55PM -0800, David Miller wrote:
>> From: Xin Long <lucien.xin@...il.com>
>> Date: Sun, 18 Nov 2018 15:07:38 +0800
>> 
>> > Now sctp increases sk_wmem_alloc by 1 when doing set_owner_w for the
>> > skb allocked in sctp_packet_transmit and decreases by 1 when freeing
>> > this skb.
>> > 
>> > But when this skb goes through networking stack, some subcomponents
>> > might change skb->truesize and add the same amount on sk_wmem_alloc.
>> > However sctp doesn't know the amount to decrease by, it would cause
>> > a leak on sk->sk_wmem_alloc and the sock can never be freed.
>> > 
>> > Xiumei found this issue when it hit esp_output_head() by using sctp
>> > over ipsec, where skb->truesize is added and so is sk->sk_wmem_alloc.
>> > 
>> > Since sctp has used sk_wmem_queued to count for writable space since
>> > Commit cd305c74b0f8 ("sctp: use sk_wmem_queued to check for writable
>> > space"), it's ok to fix it by counting sk_wmem_alloc by skb truesize
>> > in sctp_packet_transmit.
>> > 
>> > Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
>> > Reported-by: Xiumei Mu <xmu@...hat.com>
>> > Signed-off-by: Xin Long <lucien.xin@...il.com>
>> 
>> Applied and queued up for -stable.
> 
> Dave, is there a way that we can check to which versions you queued it
> up?

I queued up the patch is, and then do backports as needed.

If you think it's too complex to backport this, I'll toss it from the
-stable queue and that's what I have just done.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ